Man works remotely with phone, reports and computer

Establishing trust with SOC reports

When it comes to outsourcing different services related to your financial records or customer data, it is critical to verify that the service organization has effective internal controls in place. This is where a System and Organization Control (SOC) report comes into play. A successful SOC audit establishes trust and confidence in a service provider by ensuring their internal controls over the systems that affect you and your company are properly designed and operational. If the report is less than ideal, it highlights the areas for the company to improve their internal controls. Internal controls are the implemented mechanisms, rules and procedures that verify the integrity of financial and accounting information and prevent fraud.

One example of when you might request a SOC report is in the event you hire a payroll processing company. From the get go you realize the material impact payroll has on your financial statements. As such, you may ask the company to provide some assurance that your payroll will be handled in accordance with your expectations. In this case, you can request a SOC 1 report to verify that the payroll processing provider does in fact have effective internal controls in place. The same idea holds for IT companies, cloud service providers, and many others.

If you are the service provider, it may be in your best interest to seek out a SOC report on your own. This allows you the opportunity to present a successful report to multiple customers, thereby demonstrating the security and effectiveness of your systems.

It is critical to understand which SOC report is necessary for your specific situation. Each compliance framework attests to the controls implemented within the service organization while placing the focus in different areas.

A Brief History of Service Organization Reporting (SOC Reports)

In 1992 the Statement on Audit Standards (SAS) 70, Service Organizations, became the central source of requirements and guidance for certified public accountants (CPAs) who report on controls at service organizations and/or audit the financial statements of entities that utilize service organizations to complete tasks affecting their financial statements. However, significant reform announced in 2010 and effective in 2011 split and replaced the long-holding standard into two new standards.

The first new standard was the Statement on Standards for Attestation Engagements (SSAE) 16 and the other was a new SAS. SSAE 16 Reporting on Controls at a Service Organization is self-explanatory and includes the requirements for reporting on controls at a service organization.

Later in 2017, SSAE 18 superseded SSAE no 16. SSAE 18 took effect May 1, 2017 and worked to clarify the requirements regarding the performance and reporting on the examination, review and agreed-upon procedures engagements. Additionally, the American Institute of CPAs (AICPA) revised the meaning of SOC from “Service Organization Controls” to “System and Organization Controls” in April 2017. The idea behind the rebrand was to further enhance the reporting capacity of SOC reports and expand their reach to a wider audience.

Understanding SOC Reports: What is the SOC 1 Report?

The main distinction of SOC 1 is that it scrutinizes the service company’s financial reporting. A SOC 1 report is particularly important for a service organization that impacts the user entity’s financial reporting. Some examples of organizations which may require SOC 1 reports are:

  • Payroll processors
  • Medical claims processors
  • Data center companies
  • Lending services
  • Data centers
  • Cloud service providers
  • Human resources support services
  • Software-as-a-service (SaaS) companies

Types of SOC 1 Reports

SSAE no. 16 outlined two types of SOC 1 reports.

A SOC 1 Type I report is an independent snapshot of the organization’s control landscape and their ability to meet control objectives on a given date. The report tests the adequacy and effectiveness of the internal financial controls design.

Comparably, a SOC 1 Type II report introduces a historical element, demonstrating control management over a designated time period. The standards implemented by SSAE 16 require at least six months of control operations in order to perform a SOC 1 Type II report.

Most importantly, SSAE reporting, meaning a SOC 1 report, helps public companies comply with Sarbanes-Oxley’s section 404 requirements by demonstrating effective internal controls covering financial reporting.

What is the Sarbanes-Oxley (SOX) Act of 2002?

U.S. Congress passed the Sarbanes-Oxley Act of 2002 in response to the financial scandals of the early 2000s involving publicly traded companies such as Enron Corporation, Tyco International plc, and WorldCom. The Act intends to help protect investors from fraudulent corporate financial reporting by amending or supplementing existing security regulations and other laws enforced by the Securities and Exchange Commission (SEC). SOX focuses on four principal areas of concern: corporate responsibility, increased criminal punishment, accounting regulation and new protections.

SOC 1 reports satisfy some stipulations of Section 404 of Sarbanes-Oxley. Section 404 requires company management and auditors to establish internal controls and reporting methods to ensure the validity and performance of those controls.

Understanding SOC Reports: What is the SOC 2 Report?

Compared to SOC 1 which analyzes your business’s financial reporting, SOC 2 instead emphasizes the security and protection of customer data. It verifies the handling and protection of client data by a service organization in accordance with AT-C 205, Examination Engagements. SOC 2 reporting has become increasingly important as cloud services mature and economic conditions encourage a number of companies to outsource. When deciding on a cloud service provider for your company or electing to outsource some IT elements, the first question should be, “Is our information secure?” This is where SOC 2 audits are crucial. A SOC 2 report follows a similar approach as SOC 1, but instead hones in on the controls over IT and systems processing confidential client data. SOC 2 audits focus on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy.

A SOC 2 report is particularly important for service organizations that process users’ data and need to ensure the confidentiality and privacy of the information processed by the organization’s systems. The report is crucial for:

  • Organizational oversight
  • Vendor management programs
  • Internal corporate governance and risk management processes
  • Regulatory oversight

Who needs an SOC 2 Report?

A SOC 2 audit is best practice for any and all service-based organizations that store, manage, or process client information in the cloud. Specifically, this applies to companies that provide SaaS and cloud storage services.

Typically, it is beneficial for any service organization processing or maintaining information that requires a controlled or secure system to have a SOC 2 report to show to prospective clients and other appropriate third parties, such as external auditors or vendor management regulators.

Trust Services Criteria

SOC 2 reporting derives its focus from the control criteria known as the Trust Services Criteria (TSC), or previously known as the Trust Services Principles. The TSC evaluates and reports on controls over information and systems in one of four structures: 1) across an entity, 2) at a subsidiary, division, or operating unit level, 3) within a function relevant to the entity’s operational, reporting, or compliance objectives, or 4) for a particular type of information used by the entity. The TSC are divided into categories and defined by the AICPA as:

Security – “Information and systems are protected against unauthorized access, unauthorized disclosure of information, and/or damage to systems that could compromise the availability, integrity, confidentiality and privacy of information or systems and affect the entity’s ability to meet its objectives.”

Availability – “Information and systems are available for operation and use to meet the entity’s objectives.”

Processing integrity – “System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.”

Confidentiality – “Information designated as confidential is protected to meet the entity’s objectives.”

Privacy – “Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.”

Types of SOC 2 Reports

Similarly to SOC 1, there are two types of SOC 2 reports. Like the SOC 1 reports, each type of SOC 2 report is determined by length of time.

SOC 2 Type I focuses on management’s description of a service organization’s system and sustainability of the controls design. Type I reports describe the evidence of design effectiveness that auditors observe at a particular point in time.

This differs from SOC 2 Type II which reports on management’s description of a service organization’s system and sustainability of the design and operating effectiveness of controls. The Type II report attests that the organization is performing these control activities over a period of time. For example, the report may explain that the provider holds monthly meetings to review capacity. A SOC 2 Type II report analyzes the controls designed to ensure the housing security of client data, as well as the efficiency, consistency and documentation of these controls and their relation to operational performance.

What is included in SOC reports?

A SOC report features a description of the internal controls structure and the auditor’s opinion regarding those controls. The report typically entails the auditor’s opinion in the following areas:

  • Fairness of the service organization’s descriptions of their controls
  • Design effectiveness of the internal controls
  • Operational effectiveness of the internal controls over a designated period of time (Type II only)

Upon evaluating the listed areas of concern, the auditor issues an opinion. The opinion is “unqualified” if the items are achieved. Conversely, the opinion is “modified” if the items are achieved but with significant exceptions. Finally, the auditor labels the opinion “adverse” if the service organization fails one or more of the above.

For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.

Stairs and columns outside government building
Next up

Seven financial policies to review during budget season